Correction #11086
closed
Feedback on pfSense Configuration Recipes — Configuring DNS over TLS
0%
Description
Page: https://docs.netgate.com/pfsense/en/latest/recipes/dns-over-tls.html
Feedback:
The recipe says
"The hostname is technically optional but dangerous to omit. The DNS Resolver must have the hostname to validate that the correct server is providing a given response. The response is still encrypted without the hostname, but the DNS Resolver has no way to validate the response to determine if the query was intercepted and answered by a third party server (Man-in-the-Middle attack)."
I tried both cloudflare and google. As soon as I activated SSL forwarding, dns resolution failed on my clients. I tried multiple times.
However, when I leave the hostname blank, it works with both google and cloudflare. After all my testing, I am absolutely certain that this is the one thing which made it work, and as soon as I add a "hostname" it fails. I have reproduced this three times.
For cloudflare, I used the name in the recipe.
For google, I used dns.google
I am using latest stable pfsense
2.4.5-RELEASE-p1 (amd64)
built on Tue Jun 02 17:51:17 EDT 2020
FreeBSD 11.3-STABLE
I have the suggested LAN port forwarding rule, but the problem existed with this on or off, because the two clients I used get the DNS server from pfsense DHCP. The two clients I tested this on: Fedora33, pop!os 20.10
Files
Updated by Jim Pingle over 3 years ago
- Status changed from New to Rejected
- Assignee deleted (
Jim Pingle)
You must have some other problem in your setup. I have a test system setup with the exact config from the document and it works fine with the hostnames in place.
Omitting the hostnames means it doesn't validate the server certificate. If you have to disable that, it's possible your upstream DNS is being hijacked by another server (MITM style). Post on the forum to discuss and investigate.